Privacy Commissioner releases report on Sydney Uni security breach

Media release

The NSW Privacy Commissioner has found that the University of Sydney breached its obligations to protect students’ personal data during an information leak earlier this year.

Acting Privacy Commissioner John McAteer has released a report into an alleged security breach involving students’ personal information on the University of Sydney’s website.

Mr McAteer said his investigation found that the university had breached the Privacy and Personal Information Protection Act 1998 (PPIP Act).

“The investigation into this matter has revealed that the university did not meet its obligations under New South Wales law,” Mr McAteer said.

“The leaking of students’ personal data resulted from a programming error that enabled direct access to student records without the need for a password.

“This error could reasonably have been detected with proper testing, leading to my finding that the university did not take the appropriate steps to ensure the security of students’ personal information.”

The Commissioner launched an own motion investigation into the security breach following media coverage earlier this year.

Newspaper reports in late January revealed a leak of students’ personal data through the University of Sydney website.

The Commissioner’s report noted the university’s response to the breach, saying it reacted with “urgency and effectiveness” once notified of the issue.

“In a positive finding, the university took immediate action to rectify the matter and put systems in place to prevent further leaks,” Mr McAteer said.

The report can be accessed on the Office of the Privacy Commissioner website.